Forum Discussion
Solved
Restrict PowerShell on end user devices
Hello all All devices are running the latest version on Windows 10. We have deployed defender for endpoint, Intune, and sccm. Can defender for endpoint tell me what the current powershell execution ...
- I agree that digitally signing any scripts is best from a security perspective, no doubt about that. Scripts ran via the Intune scripts option will be ran via the Intune Management Extension, which should respect whatever the execution policy is set to on the device itself. There's a few public resources available which recommend the option as described above using a Win32 app in Intune, which might be best for your scenario.
You can also use a configuration profile (Windows 10, Settings catalog) to enforce the PowerShell execution policy on devices. Search for the "Turn on Script Execution" option under "Administrative Templates\Windows Components\Windows PowerShell".
Why not run a script using Intune? You can target any script directly to devices.
https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- does this require the powershell execution policy to be set to bypass? I want to configure all devices for "remote signed"
- Scripts that you run using Intune are executed locally on each device. Unless you pull in other resources like scripts or execute another remote script from the one you assign to a device, you shouldn’t have the need to change anything.
Even if you do need to change the execution policy, you could do so from within the script that you assign to a device.- Understood, however if we create a script that is not digitally signed and we deploy the script to devices using intune, if the powershell execution policy on the device is set for RemoteSigned, then from my understanding the script will not run. Again im trying to move away from "bypass" as the execution policy
